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Policy — Hacktivity Thanks Updates (32) Collaborators 


Rewards 
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$100 $500 $3,000 $10,000 
Last updated on October 15, 2020. View changes 
Policy 


Welcome to Yahoo! 


Yahoo is a global media and advertising company connecting people to their passions. With one of 
the largest online audiences in the world, Yahoo brings people closer to what they love — from 
finance and commerce, to gaming and news — with the trusted products, content and tech that 
fuel their day. For partners, we provide a full-stack platform to amplify businesses and drive more 


meaningful connections across advertising, search and media. 


https://hackerone.com/yahoo?type-team 1/42 


11/11/21, 3:28 PM Yahoo! - Bug Bounty Program | HackerOne 


yahoo! 





We are Paranoid 


Our information security team is known as the Paranoids, and we're committed to protecting our 
brands and our users. As part of this commitment, we invite security researchers to help protect 
Yahoo and its users by proactively identifying security vulnerabilities via our bug bounty program. 
Our program is inclusive of all Yahoo brands and offers competitive rewards for a wide array of 
vulnerabilities. We encourage security researchers looking to participate in our bug bounty 
program to review our policy to ensure compliance with our rules and also to help you safely verify 


any vulnerabilities you may uncover. 


'1 Paranoids 
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Rules of Engagement 


By submitting reports or otherwise participating in this program, you agree that you have read and 


will follow the Program Rules and Legal Terms sections of this program Policy. 
Program Rules 


Violation of any of these rules can result in ineligibility for a bounty and/or removal from the 
program. Three strikes will earn you a temporary ban. Four strikes means a permanent ban. 


1. Test vulnerabilities only against accounts that you own or accounts that you have permission 
from the account holder to test against. 

2. Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of 
concept only to demonstrate an issue. 

3. If sensitive information--such as personal information, credentials, etc.--is accessed as part ofa 
vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after 
initial discovery. All copies of sensitive information must be returned to Yahoo and may not be 
retained. 

4. Researchers may not, and are not authorized to engage in any activity that would be disruptive, 
damaging or harmful to Yahoo, its brands or its users. This includes: social engineering, phishing, 
physical security and denial of service attacks against users, employees, or Yahoo as a whole. 

5. Abide by the program scope. Only reports submitted to this program and against assets in 
scope will be eligible for monetary award. 

6. Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with 
anyone other than authorized Yahoo or HackerOne employees), or otherwise share 


vulnerabilities with a third party, without Yahoo's express written permission. 
Legal Terms 


In connection with your participation in this program you agree to comply with Yahoo's Terms of 
Service, Yahoo's Privacy Policy, and all applicable laws and regulations, including any laws or 


regulations governing privacy or the lawful processing of data. 


Yahoo reserves the right to change or modify the terms of this program at any time. You may not 
participate in this program if you are a resident or individual located within a country appearing on 
any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury's 
OFAC). 


Yahoo does not give permission/authorization (either implied or explicit) to an individual or group 


of individuals to (1) extract personal information or content of Yahoo users or publicize this 
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Yahoo employees (including former employees that separated from Yahoo within the prior 12 
months), contingent workers, contractors and their personnel, and consultants, as well as their 
immediate family members and persons living in the same household, are not eligible to receive 


bounties or rewards of any kind under any Yahoo programs, whether hosted by Yahoo or any third 
party. 


Safe Harbor 


Yahoo will not initiate a lawsuit or law enforcement investigation against a researcher in response 


to reporting a vulnerability if the researcher fully complies with this Policy. 


Please understand that if your security research involves the networks, systems, information, 
applications, products, or services of another party (which is not us), that third party may 
determine whether to pursue legal action. We cannot and do not authorize security research in the 
name of other entities. If legal action is initiated by a third party against you and you have complied 
with this Policy, we will take reasonable steps to make it known that your actions were conducted in 
compliance with this Policy. 


You are expected, as always, to comply with all applicable laws and regulations. 


Please submit a report to us before engaging in conduct that may be inconsistent with or 
unaddressed by this Policy. 


Responsible Disclosure of Vulnerabilities 


We are continuously working to evolve our bug bounty program. We aim to respond to incoming 
submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being 
triaged. 


All products and services owned by Yahoo are included in either our public or Elite bug bounty 
program. Please review the program scope before submitting a report. Elite scope is accessible to 


invited researchers only. 
Testing 


Web traffic to and from Yahoo properties produces petabytes of data every day. When testing, you 
can make it easier for us to identify your testing traffic against our normal data and the malicious 


actors out in the world. Please do the following when participating in Yahoo bug bounty programs: 


e Where possible, register accounts using your <username>+x@wearehackerone.com addresses. 


Some of our properties will require this to be eligible for a bounty. 
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addition of headers to all outbound requests. Report to us what header you set so we can 


identify it easily. 


Identifier Format Example 


Your X-Bug-Bounty: 
X-Bug-Bounty: HackerOne-flyingtoasters 
Username  HackerOne-«username» 


Unique X-Bug-Bounty: ID- X-Bug-Bounty: ID- 

Identifier <sha256-flag> 6223b07c5323f18b59a370c3ce1b057c56d0eb39de620db6307279det 
X-Bug- 

Event l l l l 

Bounty:LiveHackingEvent- X-Bug-Bounty: LiveHackingEvent-H1-213 

Identifier 
<eventid> 

Tool X-Bug-Bounty: 


l X-Bug-Bounty: BurpSuitePro 
Identifier  <toolname> 


Verbose X-Bug-Bounty: 


Tool <toolname>-version- X-Bug-Bounty: BurpSuitePro-version-2020.1 


Identifier <version> 
Enn 


When testing for a bug, please also keep in mind: 


e Only use authorized accounts so as not to inadvertently compromise the privacy of our users 

e When attempting to demonstrate root permissions with the following primitives in a vulnerable 
process please use the following commands: 
e Read: cat /proc/1/maps 
e Write: touch /root/<your H1 username> 


e Execute: id , hostname , pwd (though, technically cat and touch also prove execution) 


e Minimize the mayhem. Adhere to program rules at all times. Do not use automated 
scanners/tools - these tools include payloads that could trigger state changes or damage 
production systems and/or data. 

e Before causing damage or potential damage: Stop, report what you've found and request 


additional testing permission. 


Crafting a Report 
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" L/C€SCIIDUIOTII OI UIC VUINICTADITILY 

e Stepstoreproduce the reported vulnerability 

e Proof of exploitability (e.g. screenshot, video) 

e Perceived impact to another user or the organization 

e Proposed CVSSv3 Vector & Score (without environmental and temporal modifiers) 
e List of URLs and affected parameters 

e Other vulnerable URLs, additional payloads, Proof-of-Concept code 


e Browser, OS and/or app version used during testing 
Note: Failure to adhere to these minimum requirements may result in the loss of a reward. 


All supporting evidence and other attachments must be stored only within the report you 
submit. Do not host any files on external services. 


Program Scope 


Vulnerabilities on a specific brand or web property should be reported to the program to which it is 
listed "in scope". Please see our detailed scope list at the bottom of this page for a full list of assets 


that are in scope of this program. This list is subject to change without notice. 


To reduce the amount of assets listed in each program we operate, out of scope assets are only 
listed on our public program policy page. 

If you've found a vulnerability that affects an asset belonging to Yahoo, but is not included as in 
scope on any of the Yahoo programs, please report it to this program. 


Rewards 


You will be eligible for a bounty only if you are the first person to disclose an unknown issue. 
Qualifying bugs will be rewarded based on severity, to be determined by Yahoo in its sole 
discretion. Rewards may range from HackerOne Reputation Points and swag to monetary rewards 
up to $15,000 USD. Awards are granted entirely at the discretion of Yahoo. 


At Yahoo's discretion, providing more complete research, proof-of-concept code and detailed 
write-ups may increase the bounty awarded. Conversely, Yahoo may pay less for vulnerabilities 
that require complex or over-complicated interactions or for which the impact or security risk is 
negligible. Rewards may be denied if there is evidence of program policy violations. A reduction in 
bounty is also warranted for reports that require specific browser configurations. Reports in third 


party software are not eligible for bounties. 


Payout Table 
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Severity 
Critical 
High 
Medium 


Low 


Payout Range 
$10,000 - $15,000 
$3,000 - $10,000 
$500 - $3,000 


$100 - $500 


Informative $0- $0 


Valued Vulnerabilities 


All reports will be awarded based on the Common Weakness Enumeration classification. This table 
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provides the CWEs that we will accept, the severity ranges we will classify reports within for the 


CWE, and some examples of common vulnerability and attack names that we classify within each 


CWE that we will accept. This table serves only as a guide and the severity classification of a 


particular vulnerability will be determined by Yahoo in its sole discretion. 


Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a 


variety of severity ratings determined by scope/scale of exploitation and impact. 


Severity 
(low) 


Low 


Critical 


Low 


High 


Severity CWE- 


(high) ID 
CWE- 
Medium 
16 
CWE- 
Critical 
78 
CWE- 
High 
79 
CWE- 
Critical 
89 
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Common 
Weakness 
Enumeration 


Misconfiguration 


OS Command 


Injection 


Cross-Site 


Scripting 


SQL Injection 


Bug Examples 


Subdomain Takeover; Dangling DNS 


Record; Dangling CNAME Takeover; non- 


Primary Brand SDTO; DNS Zone 


Takeover 


Code Injection; LDAP Injection; Remote 


Code Execution 


Stored XSS; POST-Based XSS; GET- 
Based XSS; DOM-Based XSS; CSS 
Injection; Blind XSS 


SQL Injection 
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Critical 


Medium 


Critical 


High 


Medium 


Low 


Low 


High 


Medium 


Low 


Critical 


Medium 


Critical 


Critical 


Critical 


Critical 


High 


Critical 


Medium 


Low 
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CWE- 
91 


CWE- 
23 


CWE- 
120 


CWE- 
154 


CWE- 
158 


CWE- 
200 


CWE- 
203 


CWE- 


250 


CWE- 
284 


CWE- 
304 
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XML Injection 


CRLF Injection 


Classic Buffer 


Overflow 


Uncontrolled 


Format String 


Improper 
Neutralization of 
Special 
Elements 


Information 


Exposure 


Information 
Exposure 
Through 


Discrepancy 


Execution with 
Unnecessary 


Privileges 


Improper Access 


Control 


Missing Critical 
Step in 


Authentication 


XML Injection 


CRLF Injection 


Buffer Overflow 


Insecure Deserialization 


Path Normalization 


User Enumeration with Personal 
Information; Credentials on GitHub; 
Confidential Information Exposure; 
Information Disclosure 

PHP Admin Information page; MySQL 


Information page (w/ credentials); 
Apache Status page 


Privilege Escalation to System Account 


Environment Exposure 


T2 Login Page exposed 
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Medium High 
Informative Low 
Low Medium 
Informative Low 
Medium High 
Informative Informative 
Medium High 
Medium High 
Medium Medium 
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CWE- 
506 


CWE- 
507 


CWE- 
511 


CWE- 
527 


CWE- 
552 


CWE- 
2259 


CWE- 
454 


CWE- 
4445 


CWE- 
494 
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Missing 
Authentication 
for Critical 


Function 


Improper 
Restriction of 
Excessive 
Authentication 


Attempts 


Missing 
Encryption of 


Sensitive Data 


Use of a Broken 
or Risky 
Cryptographic 
Algorithm 


Cross-Site 


Request Forgery 


Privacy Violation 


Unrestricted 
Upload of File 


with Dangerous 


Type 


Inconsistent 


Interpretation of 


HTTP Requests 


Download of 
Code Without 
Integrity Check 


Exposed Administrative Interface 


Lack of Rate Limiting on Login; 
CAPTCHA Bypass 


Cleartext Submission of Passwords 


Weak CAPTCHA 


State- Changing CSRF; Non-State- 
Changing CSRF 


Privacy Violation 


Unfiltered File Upload 


HTTP Request Smuggling 


S3 Bucket Upload 
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Low 


Critical 


Low 


High 


Medium 


Informative 


Medium 


Informative 


Low 


Critical 


Low 


Critical 


High 


Critical 


Critical 


High 
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CWE- 
601 


CWE- 
611 


CWE- 
706 


CWE- 
732 


CWE- 
798 


CWE- 
829 


CWE- 
862 


CWE- 
863 
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Open Redirect 


Improper 
Restriction of 
XML External 


Entity Reference 


Use of 
Incorrectly- 
Resolved Name 


or Reference 


Incorrect 
Permission 
Assignment for 


Critical Resource 


Use of Hard- 
coded 


Credentials 


Inclusion of 
Functionality 
from Untrusted 


Control Sphere 


Missing 


Authorization 


Incorrect 


Authorization 


Open Redirect 


XXE 


Incorrectly Resolved Name 


Horizontal Privilege Escalation; Vertical 
Privilege Escalation; IDOR (RW, Cross 
Org); IDOR (RW, Same Org) 


Hard Coded Credentials 


Server Side Includes Injection; Local File 
Inclusion; Directory Traversal; Production 
Host Dependency Confusion; non- 


Production Host Dependency Confusion 


Horizontal Privilege Escalation; Vertical 
Privilege Escalation; IDOR (RO, Same 
Org); IDOR (RO, Cross Org) 


Authorization Bypass; Account Takeover; 
Social Media Takeover (Brand, «12mo, 


w/creds); Social Media (w/o creds) 
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l u CWE- 
Medium Critical 
918 
CWE- 
Low Low 
941 


Borderline Out-of-Scope, No Bounty 
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Semi-Blind SSRF (Service level); Semi- 
Blind SSRF (Host level); Semi-Blind SSRF 
Server-Side (File Contents); Semi-Blind SSRF (File 
RequestForgery Existence); Unrestricted SSRF; Content- 
Restricted SSRF (Multiple); Content- 
Restricted SSRF (Single) 


Incorrectly 

Specified 

Destinationina Incorrect Destination 
Communication 


Channel 


These issues are eligible for submission, but not eligible for bounty or any award. Once triaged, 


they will be closedas Informative only if found to be valid or Spam if found to be not valid. When 


reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact 


of the bug. 


Any non-Yahoo Applications 
Missing Security Best Practices 


Confidential Information Leakage 


"Self" XSS 
HTTP Host Header XSS 


Clickjacking/UI Redressing 


Use of known-vulnerable library (without proof of 


exploitability) 

Missing cookie flags 
SSL/TLS Best Practices 
Physical attacks 


Results of automated scanners 


Intentional Open Redirects 


Reflected file download 
Incomplete/Missing SPF/DKIM 
Social Engineering attacks 


Login/Logout/Unauthenticated CSRF 


Autocomplete attribute on web forms Using unreported vulnerabilities 


"Self" exploitation 
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"m Denial of Service attacks 
exploitability) 


Yahoo software that is End of Life or no longer l l 
Account/email Enumeration 
supported 


Missing Security HTTP Headers (without proofof Internal pivoting, scanning, exploiting, or 


exploitability) exfiltrating data 


Note: 0-day and other CVE vulnerabilities may be reported 30 days after initial publication (CVE 
List Status of Published ). We have a team dedicated to tracking CVEs as they are released; hosts 


identified by this team and internally ticketed will not be eligible for bounty. 
Do Not Report 


The following issues are considered out of scope: 


e Those that resolve to third-party services 

e Issues that do not affect the latest version of modern browsers 

e Issues that we are already aware of or have been previously reported 
e Issues that require unlikely user interaction 

e Disclosure of information that does not present a significant risk 

e Cross-site Request Forgery with minimal security impact 

e CSV injection 

e General best practice concerns 

e All Flash-related bugs 


Special Situations 


Same Bug, Different Host 


For each report, please allow Yahoo sufficient time to patch other host instances. If you find the 
same bug on a different (unique) host, prior to the report reaching a triaged state, file it within 
the existing report to receive an additional 5% bonus (per host, not domain). Any reports filed 


separately while we are actively working to resolve the issue will be treated asa duplicate . 
Same Bug, Different Path 


For each report, please allow Yahoo sufficient time to patch related paths. If you find the same bug 
on a different (unique) path, prior to the report reachinga triaged state, file it within the existing 
report to receive an additional 596 bonus (per path). Any reports filed separately while we are 
actively working to resolve the issue will be treatedasa duplicate . 
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attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports 
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rather than separate them. 


Note: Additional payloads, parameters, hosts and paths will not receive multiple bonuses. 





Scopes 


In Scope 


Domain 
Domain 
Domain 
Domain 
Domain 


Domain 


ast Updated on Uctobder , 


data.mail.yahoo.com 
le.yahooapis.com 
onepush.query.yahoo.com 
proddata.xobni.yahoo.com 
apis.mail.yahoo.com 


yimg.com 
yimg is a resource storage and content distribution 
network (CDN). 


Note: Reports submitted that exploit bugs only in the 
context ofthe yimg.com domain are most likely to be 
closedas Informative .Mostbugsin *.yimg.com 
will require a proof-of-concept or proof-of-exploit that 
escalates into one of the primary brand or product 
domains (e.g. yahoo.com or aol.com) to be eligible for 
bounty. CVSS Environmental scores have been set to 
account for this limitation. 


What does that mean for my report? 


1. If you show escalation into a trusted domain's 
context (such as yahoo.com) it will be accepted at 
100% bounty rate. A bonus may be applied for 
different instances within the trusted domain list 
only; not for other instances of vulnerabilities 
content on yimg.com. 
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Critical 


Critical 


Critical 


Critical 


Critical 


Medium 


. View changes 
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Source 


code 


Source 


code 


Other 
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J - 


is removed. There are no "same bug different host" or 
other vulnerability grouping bonus offers for this 
asset. 


Arkime 
Review the Code 


e Source Code 
e Submit a PR to fix/update the code - fork the 
codebase then submit a PR 
e Visit our web page at https://arkime.com/ for pre- 
bulit rpm/deb and instructions for running yourself. Critical © Eligible 


Out of Scope 


e Known unauthenticated endpoints such as 
parliament.json & eshealth.json 

e Ulbasedbugson parliament 

e demo.arkime.com 

e *.molo.ch (old website) 


Athenz 
Review the Code 


e Source Code 
e Submit a PR to fix/update the code - fork the 
codebase then submit a PR 


Out of Scope 


yahoo/athenz/ui , yahoo/athenz/contributions , 
and yahoo/athenz/docker are outdated from our 
own internal deployment because of our use of Okta Critical 
and Duo which we are not able to deploy to you all for 
this event; this is why we stated the Athenz Ul was out 
of scope during the scoping call. 

The UI was just given out as a starting point so whoever 
needs it, can take it, integrate with their own 
authentication system and also provide all the 
necessary protections. Our Ul devs worked with the 
Paranoids' red team internally for quite some time to go 
through all this, addressing many different types of bug 
classes with our integration with Okta and Duo and 
that's what we're running in our production instance. 


Yahoo! (misc) Critical $) Eligible 
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Bugs with Yahoo! that are not listed in scope of our other 
Yahoo-related assets can still be submitted to this asset 
and might be eligible for award, at the sole discretion of 
the Verizon Media Bug Bounty team. 


7News 
Other e 7NewsiOS Critical 
e 7News Android 


Yahoo Sports: Editorial 
In Scope 


e https://sports.yahoo.com/ 
Other e https://api-secure.sports.yahoo.com Critical 


Out of scope 


e shop.yahoosports.com (Third party) 


Yahoo Sports: Fantasy Sports 
In Scope 


e Yahoo Fantasy Sports Android 
e Yahoo Fantasy Sports iOS 
e Yahoo Fantasy Sports (web) 


Other https://sports.yahoo.com/odds/ Critical 


Notes 


The betting feature in Fantasy is provided by a third 
party, BetMGM. https://sports.yahoo.com/odds/ , 
is the page from where it redirects the user to the 
BetMGM. This is geographically restricted. 


Other Yahoo Sports: Rivals Critical 
In Scope 


e https://n.rivals.com 
e https://www.rivals.com/ 


Notes 


All testing against rivals is to be MANUAL only. ZERO 
automated tools are allowed. This notice is your 


warning. 
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Other 


Other 


Other 


Other 


Other 


Other 
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* rivalscampseries.com (3rd party) 
Rivals iOS 


Yahoo Finance 


iOS 

Android 

* finance.yahoo.com 
OBI Premium Checkout: 


https://checkout.finance.yahoo.com/checkout/v1 
API WebSockets Streaming Market Data: 
http://streamer.finance.yahoo.com 


finance.mobile.yahoo.com 
finance.query.yahoo.com 


Yahoo HK Auctions 


Yahoo HK Auctions Android 
Yahoo HK Auctions iOS 
Yahoo HK Auctions (web) 


Yahoo HK News 


Yahoo HK News Android 
Yahoo HK News iOS 


Yahoo HK Shopping 
In Scope 


Yahoo HK Shopping Android 
Yahoo HK Shopping iOS 
Yahoo HK Shopping (web) 


Out of Scope 


yahooshopping.myguide.hk 


Yahoo Live Web Insights 


Yahoo Live Web Insights iOS 


Yahoo Mail 


Yahoo Mail Android 
Yahoo Mail AndroidGo 
Yahoo Mail FireOS 
Yahoo Mail iOS 

Yahoo Mail (web) 


Out of Scope: 
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Critical 


Critical 


Critical 


Critical 


Critical 


Critical 


Q) Eligible 


Q) Eligible 











Q) Eligible 
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Yahoo Search 


e Yahoo Search Android 
e Yahoo SearchiOS 


Other 


Critical 


e Yahoo Search (web) 


Other TW eCommerce: Auctions Critical Q Eligible 
In Scope 


Yahoo TW Auctions Android 
Yahoo TW Auctions iOS 
Yahoo TW Auctions: 

e * bid.yahoo.com 

e https://tw.bid.yahoo.com 


Yahoo TW Auctions APIs: 
e https://tw.bid.yahoo.com/api/ 
e https://tw.api.bid.yahoo.com:4443 


Search API: tw.search.ec.yahoo.com 


Notes 


Access to the Taiwan sites from some countries in 
Europe may be blocked. 
Buyer accounts can be set up for any Yahoo user. 
Seller accounts require a TW phone number and 
2FA. 
Do not use fake data (like nid) when operating the 
cash functions, it may cause real money to be stuck; 
we will hold you accountable for broken workflows. 
You are required to clean up all the testing data 
related to posting new products. 
You must include the following "test" label in ALL 
posts (in the most visible location) to prevent regular 
users from interacting with hacker-created content: 
[PARANOIDS-Z] FIS][TEST] -- Any reports 
identified that are missing this label, will not receive a 
bounty. 


Out of Scope 


* yahoo.com.tw 

ismarus-ap-94600.tw.juiker.net 

* tw.juiker.net 
auth.tw.juiker.net/oauth2/getUserTokenByTurnkey 
* straas.net 
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TW Media: News 
In Scope 


e Yahoo TW News Android 

e Yahoo TW News iOS 

e Yahoo TW News 
e *.tw.news.yahoo.com 
e Backend API: https://news- 

Other app.abumedia.yql.yahoo.com:443/ Critical 
e Web: https://tw.news.yahoo.com 
e Content API: https://ncp-gw- 
abu.media.yahoo.com/ 


Out of Scope 


e news.campaign.yahoo.com.tw 
e * yahoo.com.tw 


TW eCommerce: Shopping 
In Scope 


e Yahoo TW Shopping Android 
e Yahoo TW Shopping iOS 
e Yahoo TW Shopping 
e twpay.buy.yahoo.com 
e Web: https://tw.buy.yahoo.com/ 


e Mobile Web: https://m.tw.buy.yahoo.com/ 


Other Critical 


e API: https://tw.mapi.shp.yahoo.com 


e Search API: tw.search.ec.yahoo.com 
e Rushbuy API: rushbuy.buy.yahoo.com 


Out of Scope 


e * yahoo.com.tw 
e iOS: TPDirect.framework 
e Android: tech.cherri.tpdirect.api 


Other TW Media: Stock Critical 
In Scope 


e Yahoo TW Stock Android 
e Yahoo TW Stock iOS 
e Yahoo TW Stock 
e tw.stock.yahoo.com 
e API: https://stock-app.abumedia.yql.yahoo.com 
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e stock.yahoo.com and finance.yahoo.com are 
identical; Reports will NOT be credited same-bug- 
different-host bonuses when issues are found on 
both domains. 

e TW Stock Apps have a strong dependency with third 
party SDK(s) for receiving the real-time quote data in 
the market. Every page containing values (volume, 
prices, up/down flag, ...) of index, tickers, etfs, ..., 
ticker information, line chart, notifications setting are 
all from the SDK. And the connection with the SDK 
service is established when the app launches and 
lasts the app's whole lifetime. These SDK service(s) 
are out of scope. 


Out of Scope 


e * yahoo.com.tw 
e tw.finance.yahoo.com 
e Quote SDK (from Systex inc.) 


TW eCommerce: Store 
In Scope 


e Yahoo TW Store Android 
e Yahoo TW Store iOS 
e Yahoo TW Store 
e * tw.mall.yahoo.com 
e m.mall.yahoo.com 


Other Critical 


« Web:https://tw.mall.yahoo.com/ 
e Mobile Web: https://m.tw.mall.yahoo.com/ 
e API: https://tw.ews.mall.yahooapis.com/ 


e Search API: tw.search.ec.yahoo.com 


Out of Scope 


e *.yahoo.com.tw 


Yahoo Video 
Other e Yahoo Video FireTV Critical 
e Yahoo Video tvOS 


Other Yahoo Weather Critical 
e Yahoo Weather Android 
e Yahoo Weather iOS 
e Yahoo Weather (web) 
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Other 


Other 


Other 


Other 


Other 


Other 


Other 


J 


e * flurry.com 


Newsroom 

e Newsroom Android 
e Newsroom iOS 

e Newsroom (web) 


Yahoo News 
e * news.yahoo.com 
e yahoo.com/news 


Gemini 

e * gemini.yahoo.com 

e * admanager.yahoo.com 
e monetization.flurry.com 


Makers 


e * makers.com 


BUILD 


e * buildseries.com 


Built By Girls 
In Scope 


e * builtbygirls.com 


Notes 


Yahoo! - Bug Bounty Program | HackerOne 


Critical 


Critical 


Critical 


Critical 


Critical 


e You MUST register for an account with your 


@wearehackerone email address or else your report Critical 


will NOT be eligible for bounty. 


Out of Scope 


e jobs.builtbygirls.com (3rd party, Jobboard.io) 


e store.builtbygirls.com (3rd party, BrightStores) 


e builtbygirls.mybrightsites.com (3rd party, 


BrightStores) 


Membership 
In Scope 


e https://login.yahoo.com 
e https://login.aol.com 


e https://api.login.yahoo.com 


https://hackerone.com/yahoo?type=team 


Critical 





Q) Eligible 


Q) Eligible 





Q) Eligible 


Q) Eligible 
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https://developer.yahoo.com/oauth2/guide/ 


Specific paths to target... 
For login.*.com 


e /account/logout 

e /auth/2.0/credentials 
e /auth/1.0/ 

e /saml2/ 

e /account 

e /oauth2 

e /ylc 

e /account/challenges 
e /account/access 

e /oauth2/device_auth 
e /ctv 

e /activate 

e /forgot 


For api.login.*.com 


e /api 

e /oauth2/get token 

e /oauth2/web session 

e /oauth2/device sessions 

e /oauth2/device authorization 
e /oauth2/device auth 

e /oauth2/revoke 

e /oauth2/introspect 


Out of Scope 


e Any rate limits for authentication attempts. 
e Any differentiated treatment based on account, 
browser, IP address etc. 


Limits 


e Limit traffic against our services to « 10/second when 


probing or testing. 
Omega " - 
Other Critical (@ Eligible 
*omega*.yahoo.com 
Ensemble 
Other Critical © Eligible 


*ensemble*.yahoo.com 
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J 


e * caldav.calendar.yahoo.com 
Specific paths to look at: 


e https://calendar.yahoo.com/ws/v3/users/ 
e https://caldav.calendar.yahoo.com/principals/users/ 
e https://caldav.calendar.yahoo.com/dav/*/calendar/ 


Limits 


Limit traffic against our services to < 10/second when 
probing or testing. 


RYOT 
In Scope 


e RYOT Mobile SDK (iOS and Android) 
“https://s.yimg.com/cv/apiv2/ar_sdk/* 
e * ryot.org (site under construction) 


Notes 


Other e The RYOT Augmented Reality SDK is used by our Critical $) Eligible 
major mobile apps. 
e ryot.org ishosted on WordPress; WP's services 


are not in scope 


Out of Scope 


e * ryotfilms.com (third party) 
e * ryot.com (third party) 
e * portal.ryot.com (third party) 


Other Engadget Critical 
In Scope 





e APIs 
e *.engadget.com 


Notes 


e Separate reports for the same or similar 
payload/issue against multiple international editions, 
will be marked as duplicates and paid only once for 
Engadget international editions. 


Out of Scope 
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e * japanese.engadget.com (Engadget International 
Edition) 
e jobs.engadget.com (3rd party, Jobboard.io) 


TechCrunch 
In Scope 


e * techcrunch.com 

e Custom endpoints: https://techcrunch.com/wp- 
json/tc/v1/* -- These are custom endpoints that 
use the WordPress architecture and output methods 
but modified for our uses with custom data. 

e Custom mobile endpoints: 

https://techcrunch.com/wp- 

json/tc/mobile/v2/* -- These are the endpoints 
that are used by the mobile apps to retrieve posts for 
the apps. 

e Default WordPress: https://techcrunch.com/wp- 
json/wp/v2/* --Wealsoleverage most of 
WordPress' out of the box endpoints with added 


Other custom data to augment the output. Critical 


Out of Scope 


e * crunchbase.com (3rd party, Crunchbase) 

e * tc-appunite.herokuapp.com (3rd party, Heroku now 
closed) 

e * parsely.com (3rd party, Parse.ly) 

e * swiftype.com (3rd party, Swiftype now closed) 

e * marketo.com (3rd party, Marketo) 

e * urbanairship.com (3rd party, Urban Airship) 

e * sailthru.com (3rd party, Sailthru) 

e * spot.im (3rd party, Spot.IM) 

e * tcdisrupt.com (3rd party, App) 

e * bit.ly (3rd party, Bit.ly) 

e * thomsonreuters.com (3rd party, Open Calais) 

e * tinypass.com (3rd party, Piano/Tinypass) 


Other Autoblog Critical 
In Scope 


e www.autoblog.com 


Out of Scope 


e *.spot.im (3rd party, Spot.IM) 
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AOL Mail 
In Scope 


e * mail.aol.com (see exclusions below) 
e rpc.mail.aol.com 


Notes 


e oidc.mail.aol.com (Hosted by Mail, but belongs to 
Membership ) 


Out of Scope 
Other Critical Q) Eligible 


e mail.aol.com/calsvc 

e AOLiOS 

e AOL Android 

e AOL FireOS 

e AOL Desktop Gold 

e apis.mail.aol.com 

e test-apis.mail.aol.com 
e * aolmail.com 

e mail.aol.com/classicab 
e mail.aol.com/getmydata 
e mail.aol.com/ws 

e *.aol.com 


Yahoo Sports: Rivals Forums 
In Scope 


e * forums.rivals.com 


Notes 


Other Critical o Eligible 
e Alltesting against rivals is to be MANUAL only. ZERO 


automated tools are allowed. This notice is your 
warning. 

e This is third party software and will be awarded at a 
50% bounty rate. 

e Reports on this asset will not be eligible for bonuses. 


Yahoo Sports: Mobile 


Other scio air dic Critical © Eligible 
e Yahoo Sports iOS 
e * protrade.com 

Other Yahoo Sports: Fantasy Slate/PicknWin Critical o Eligible 
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Yahoo Sports: Best Ball 
Other In Scope Critical e Eligible 


e https://bestball.fantasysports.yahoo.com/ 


Yahoo Sports: Fantasy Games 
In Scope 


e https://sports.yahoo.com/fantasy/ 
e Fantasy Basketball 
e Fantasy Hockey 
e Fantasy User Profiles 
Other e Fantasy Football (out of season) Critical 





e Public cookie-based API endpoints (used by some FE 
stacks) 

e Public OAuth2 endpoints 

e tournament.fantasysports.yahoo.com 


Out of Scope 


e *.sendbird.com (Third Party, SendBird) 


Yahoo Sports: Fantasy Wallet 


In Scope 
Other Critical 


e https://sports.yahoo.com/dailyfantasy/account/add 





funds 


Yahoo Sports: Daily Fantasy 
In Scope 


ritical 
| ad e https://sports.yahoo.com/dailyfantasy/ Sides 





e https://sports.yahoo.com/dailyfantasy/contest/crea 
te 


Other Social Media Accounts Critical e Eligible 
Requirements 


e Account in question has posted content within 365 
days of report submission 

e Account in question is related to a company, brand, or 
product 

e Exposed (valid/functional/active) credentials that 
allow login to an account 


In Scope 
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are reporting as "vulnerable." 


Out of Scope 


e Account in question is related to an individual 
(employee, freelancer or otherwise) 
e Brute forcing account credentials 


TW Media: Front Page 
In Scope 


e tw.mobi.yahoo.com 


Other e tw.yahoo.com Critical Q) Eligible 
e Content API: https://ncp-gw-abu.media.yahoo.com/ 


Out of Scope 


e * yahoo.com.tw 


TW eCommerce: Used Car 
In Scope 


e tw.usedcar.yahoo.com 


Notes 


Other Refer to the Notes sectioninthe TW eCommerce: Critical o Eligible 


Auctions listing. 


Out of Scope 


e * yahoo.com.tw 
e autos.yahoo.com.tw 
e tw.serviceplus.yahoo.com 


Other Media Platform Marketing Website Critical © Eligible 
In Scope 


e * verizondigitalmedia.com 

e www.verizondigitalmedia.com (prod) 

e stage-www.verizondigitalmedia.com (staging, only 
non-english content) 

e research.verizondigitalmedia.com 


Notes 
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company/request-support/ our- 
company/customer-support/) 


Out of Scope 


e * verizonmedia.com (Company home page) 

e info.verizondigitalmedia.com (Third Party, 
Pardot/Salesforce) 

e status.verizondigitalmedia.com (Third Party, 
Status.io) 


The pages listed under these URL paths (Third Party, 
instapage.com): 


e www.verizondigitalmedia.com/announcement/* 

e www.verizondigitalmedia.com/campaign/* 

e www.verizondigitalmedia.com/case-study/* 

e www.verizondigitalmedia.com/e-book/* 

e www.verizondigitalmedia.com/free-trial/* 

e www.verizondigitalmedia.com/infographic/* 

e www.verizondigitalmedia.com/internal/* 

e www.verizondigitalmedia.com/landing/* 

e www.verizondigitalmedia.com/platform-updates/* 
e www.verizondigitalmedia.com/referral/* 

e www.verizondigitalmedia.com/report/* 

e www.verizondigitalmedia.com/rsvp/* 

e www.verizondigitalmedia.com/television-academy/* 
e www.verizondigitalmedia.com/webinar/* 

e www.verizondigitalmedia.com/white-paper/* 


Media Platforms Engineering Blog 
In Scope 


e eng.verizondigitalmedia.com 
Other e eng-staging.verizondigitalmedia.com Critical 





Notes 


Bugs present on both Staging and production will not be 
awarded Same Bug Different Host bonus. 


Other AOL (misc) Critical Q) Eligible 
In Scope 


e * aol.com 


Notes 
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AOL-related assets can still be submitted to this asset 
and might be eligible for award, at the sole discretion of 
the Verizon Media Bug Bounty team. 


Out of Scope 


e *nat.aol.com 
e * ipt.aol.com 


Other AOL Homepage Critical 
In Scope 





e www.aol.fr 

e www.aol.de 

e www.aol.co.uk 

e www.aol.jp 

e WWW.aol.in 

e www.aol.ca 

e www.aol.com 

e www.aol.com/* 

e AOL Games Landing Page - 
https://www.aol.com/games/ -> see 3rd Party 
Notes Below 


Notes 


OOS Exception: 3rd party components that affect 
aol.com (e.g. XSS executes in AOL.com domain 
resulting from abuse of TravelZoo module on Travel 


page) 
Out of Scope 


First Party Things: 


e https://ottr.video.yahoo.com/v1/video- 
exp/schedule 

e https://s.yimg.com/rb/screwdriver/ctv/ve- 
module/builds/prod/aol/dist/vem.js 


Second Party Things: 


e DataMask by AOL (White Label app) 

e AOL OnePoint (White Label app) 

e Private WiFi by AOL (White Label app) 
e AOL Games (White Label app) 
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Conversations for You ,Commenting on articles 
(and more) (Third Party, OpenWeb) 

e spot.im (Third Party, OpenWeb) 

e Individual AOL Games pages are rendered by us, but 
we iFrame in the Masque game urls. (Third Party, 
Masque) 

e games.com, fungames.aol.com & fungames.com 
(Third Party, Masque) 

e Comparecards.aol.com is CNAME'd to our own ATS 
cluster which forward maps requests to the 
comparecards cloudfront distribution. (Third Party, 
CompareCards) 

e JS widget on the AOL.com homepage providing news 
stories. (Third Party, Zergnet) 

e Serverside rendered module on aol.com/real-estate, 
data comes from Zillow api. (Third Party, Zillow) 

e Serverside rendered module on www.aol.com/travel, 
data comes from TravelZoo api. (Third Party, Travel 
Zoo) 

e rezserver.com (Third Party, Travel Zoo) 


AOL Mobile Apps 
Other Out of Scope Critical o Eligible 


e Apps from the app stores are not in scope. 


AOL Search 
In Scope 


e Search.aol.ca 

e Search.aol.co.uk 

e Search.aol.com 

e recherche.aol.fr 
Other 


Critical 
e Suche.aol.de 


Notes 


Any bugs found in non-production environments will not 
be eligible for the Same Bug Different Host bonus if 


the issue also exists in production. 


Other AOL Help Critical 
In Scope 


e help.aol.com 
e assistance.aol.fr 
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Any bugs found in non-production environments will not 
be eligible forthe Same Bug Different Host bonus if 
the issue also exists in production. 


Out of Scope 


e assist.aol.com (2nd party service) 
e helpisp.netscape.com 

e helpconnect.netscape.com 

e help.compuserve.com 


Other Yahoo Elections Critical © Eligible 
In Scope 


Note: you MUST include the ref-electionsNight 


parameter to hit the right in-scope pages. 


e https://www.yahoo.com/elections? 
ref=electionsNight 

e https://www.yahoo.com/elections/senate? 
ref=electionsNight 

e https://www.yahoo.com/elections/house? 
ref=electionsNight 

e https://www.yahoo.com/elections/state/al? 
ref=electionsNight (and all other US state pages) 


Notes 


Any bugs found in non-production environments will not 
be eligible forthe Same Bug Different Host bonus if 
the issue also exists in production. 


Out of Scope 


e elections.yahoo.com (First Party, Yahoo Search) 

e yahoo.com/elections (First Party, Yahoo Search) 

e yahoo.turbovote.org (Third Party, Turbovote) 

e Historical Race Feed: 
https://www.realclearpolitics.com/poll/race/903/his 
torical_data.json (Third Party, Real Clear Politics) 

e Presidential RCP Feed: 
https://www.realclearpolitics.com/syn/verizon_202 
O president trump vs /main.json (Third Party, Real 
Clear Politics) 

e Trump Approval RCP Feed: 
https://www.realclearpolitics.com/syn/verizon_presi 
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Other 


Other 
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O senate/main.json (Third Party, Real Clear Politics) 

e House RCP Feed: 
https://www.realclearpolitics.com/syn/verizon hous 
e 2020/main.json (Third Party, Real Clear Politics) 

e Associated Press, Third Party 

e Scribble Live, Third Party 


IDS 
In Scope 


e id.vdms.io 


Notes 


Pre-production domains will not be eligible for Same 
Bug Different Host bonuses. These include: 
Critical 
e id-stg.vdms.io 
e id-dev.vdms.io 
e stg2-identity-dashboard.identity.vdms.io 
e dev-identity-dashboard.identity.vdms.io 
e ci-identity-dashboard.identity.vdms.io 


Out of Scope 


e manage.vdms.io 


Online Marketplace 

Online Marketplace (MyAccount) supports many AOL 
properties and can be accessed by a variety of CNAME 
records. 


e billupdate.aol.com 

e myaccount.aol.com 

e myservices.aol.com 

e payments.aol.com Critical 
e mybenefits.aol.com 

e cancel.aol.com 

e bill.aol.com 


Please consolidate your reports. 

Note: Reporting the same issue separately for multiple 

CNAMES will result in reports being marked as 
Duplicate atbest. 


AOL Publishers Critical 
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mmu —— Rut 


e * isp.netscape.com 

e * |ite.aol.com 

e *.compuserve.com 

e www.wmconnect.com 


Other places to look 


e webaccelerator.isp.netscape.com 
e register.isp.netscape.com 


e admin.isp.netscape.com 
e netscape.compuserve.com 


Out of Scope 


e Subdomains of wnconnect.com outside of www 


Notes 


e These services are designed for delivery through 
slow internet connections. 

e Registration for these services has been disabled. 

e Help-related pages/domains should be reported to 
the AOL Help asset. 


DSP 
In Scope 


e api-v3.admanagerplus.yahoo.com 
e admanagerplus.yahoo.com 


Other Notes Critical e Eligible 


Restrict your rate limit on requeststo 120 
requests/minute to prevent yourself being auto- 


banned or impacting our production system. 


This asset is not in eligible for bounty through our public 
bug bounty program. 


com.yahoo.mobile.client.android.mail 
Android: e Yahoo Mail Android 7 7 
e Yahoo Mail AndroidGo Critical e Eligible 
e Yahoo Mail FireOS 
e Sign up for the Beta here 


Play Store 
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Yanoo Upen Source Frojects (MISC) 

Select open source projects are now eligible for 

bounties! The rest of our open source projects are Critical O Ineligible 
technically in scope, but at a reduced rate for the time 


Source 


code 


being. 


Other (misc) 
Only use this asset when nothing else can be reasonably 
selected. 


Bugs with Yahoo products that are not listed in scope of 
our Public Program can still be submitted to this asset 

Other and might be eligible for award, at the sole discretion of Critical O Ineligible 
the Yahoo Bug Bounty team. 


Use this asset for: 


e * vzbuilders.com 
e * oath.cloud 
e * yahoo.cloud 


EdgeCast - Customers 
Self-registered accounts will be limited to 
demonstration zones and are subject to automatic 


Other blocks or removal. This asset is not eligible for bounty Critical © Ineligible 
through our public bug bounty program. 


e my.edgecast.com 
e api.edgecast.com/v2/mcc 


EdgeCast - Partners 
Self-registered accounts will be limited to 
demonstration zones and are subject to automatic 


Other blocks or removal. This asset is not eligible for bounty Critical © Ineligible 
through our public bug bounty program. 


e partner.edgecast.com 
e api.edgecast.com/v2/pcc 


Uplynk 
e *.downlynk.com 


e * uplynk.net 
Other e * uplynk.com Critical ($) Ineligible 


This asset is not in eligible for bounty through our public 
bug bounty program. 
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L7OITIdiri ` y driOQo.ricu 
Domain * yahoo.com.tw 
Yahoo Cricket 
e Yahoo Cricket Android 
Other e Yahoo Cricket iOS 


e OutofScope: cricket.yahoo.net (third party) 
e OutofScope: *.sportz.io (third party) 


Yahoo 7 
Other e au.yahoo.com 
e nz.yahoo.com 


Boundless 
To submit bugs, contact: yj-csirt@mail.yahoo.co.jp 


Other This includes these and possibly other domains currently and/or formerly associated with Yahoo 


Japan: 


e * yahoo-net.jp 
e * yahoo.net 


Miscellaneous 
e * aolcdn.com 
e * yahoo.com.hk 
e Media Group One 
Other e Movies Hong Kong 
e Onwander 
e Volicon 
e Volicloud 
e Yahoo Operated WordPress blogs 


e files.molo.ch 


Other Historical * Divestitures 
This is a list of products and companies which were previously owned but have been shut down or 
sold and are not in scope of Yahoo. 


e About.me 

e Flickr 

e Go90 

e MovieFone 
e Oath: Impact 
e HuffPost 

e Patch Media 
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e Winamp 

e Yahoo Answers 

e Yahoo Groups 

e Yahoo Play 

e Yahoo Together (Squirrel) 
e Yahoo Messanger 

e Yahoo Small Business 

e Yahoo TW eSports 

e Yahoo Japan 


Other SSRF Test Servers (information) 
SSRF Test Servers 


If you think you've got an SSRF attack against our network, please use these two groups of servers to 
prove it to us. There's a whole bunch of different file formats on these servers and they're all identical. 
To prove your SSRF, please send your attacks in a way that attempt to read or write content to/from 
one of these servers in each network segment (Prod + Corp). The difference between each host 
within each category is just their geolocation, which in most circumstances does not matter what you 
target. HTTPS is also enabled on these servers. 


Production Network 


e banana.stand.ne1.prod.oath (banana.stand.ne1.yahoo.com) 
e banana.stand.gq1.prod.oath (banana.stand.gq1.yahoo.com) 
e banana.stand.bf1.prod.oath (banana.stand.bf1.yahoo.com) 

e banana.stand.bf2.prod.oath (banana.stand.bf2.yahoo.com) 

e banana.stand.sg3.prod.oath (banana.stand.sg3.yahoo.com) 
e banana.stand.ir2.prod.oath (banana.stand.ir2.yahoo.com) 

e banana.stand.tw1.prod.oath (banana.stand.tw1.yahoo.com) 
e banana.stand.tp2.prod.oath (banana.stand.tp2.yahoo.com) 


Corporate Network 


e banana.stand.corp.gq1.cic.oath (banana.stand.cgq1.yahoo.com) 
e banana.stand.corp.bf1.cic.oath (banana.stand.cbf1.yahoo.com) 

e banana.stand.corp.sg3.cic.oath (banana.stand.csg3.yahoo.com) 
e banana.stand.corp.ne1.cic.oath (banana.stand.cne1.yahoo.com) 


Files to target take the filename format of «extension» ###.<extension> .For example: 

txt 001.txt and zip 001.zip .We've put up a bunch of different file formats that can be 
targeted for your testing needs. There is one other file that is simple text, but does not have a file 
extension, reach that by asking for noext 01 . 


File types available include: 
avi, bmp, css, csv, doc, docx, dtd, flv, gif, html, icns, ics, ico, jar, jpg, js, json, md, mkv, mov, mp3, mp4, 
odp, ods, odt, ogg, pdf, php, png, ppt, rss, svg, tiff, txt, wav, wmv, xls, xlsx, xml, xsl, zip 
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http: //<hostname>/hackerone-<username> so that we can identify your activity in the logs more 


easily. 
When submitting a report (in addition to all the usual details) please make sure to: 


1. Attach a copy of the file you fetched. 
2. Include the timestamp you fetched the file. 
3. Note the SSRF server that you fetched the file from. 


The Fine Print 


If you can't hit these servers but can hit something else inside our network, you must provide a 
working POC and understand that we will individually evaluate impact of the host you tested with. 


We reserve the right to award a $0 bounty for any SSRF (or similar) reports that are not able to touch 
these servers. 


Also, we will periodically review the logs on these servers and may reach out to hackers that have hit 
the server but not submitted a report. If this happens, you will be eligible for a maximum award of 
10% for the report. 


Challenge Coins 


These are just for fun. 


e H1-213-2019 
e [H1-415-2020](coming soon) 
e [H1-2004-2020](coming soon) 


Umbrella Out of Scope List 
Any other reference to out of scope items in this policy or scope still apply. Verizon Media reserves 


the right to award or not award on assets that may not yet be on this list or in this policy. 


ALL THE FOLLOWING ASSETS ARE OUT OF SCOPE 


e AOL Mail 
« AOL Desktop Gold 
e apis.mail.aol.com 
e test-apis.mail.aol.com 
e *.aolmail.com 
e mail.aol.com/classicab 
e mail.aol.com/getmydata 
e mail.aol.com/ws 
e mail.aol.com/calsvc 


e Athenz Source Code 
e yahoo/athenz/ui 
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e * spot.im (3rd party, Spot.IM) 
e Development-like environments for autoblog.com exist, but should not be tested; keep the 
testing in Production (www.). 


e Built By Girls 
e jobs.builtbygirls.com (3rd party, Jobboard.io) 
e store.builtbygirls.com (3rd party, BrightStores) 
e builtbygirls.mybrightsites.com (3rd party, BrightStores) 


e *vdms.com 

e EdgeCast 
e Customers 
e Partners 
e Wholesalers 


e Engadget 
e * spot.im (3rd party, Spot.IM) 
e * cn.engadget.com (Engadget International Edition) 
e * chinese.engadget.com (Engadget International Edition) 
e * japanese.engadget.com (Engadget International Edition) 
e jobs.engadget.com (3rd party, Jobboard.io) 


e Historical & Divestitures 
e About.me 
e Flickr 
e Go90 
e MovieFone 
Patch Media 
e PawNation 


e Polyvore 

e Shoutcast 

e Style Me Pretty 

« Winamp 

e Yahoo Together (Squirrel) 


Yahoo Play 

Yahoo TW eSports 

The Huffington Post 

e news.huffingtonpost.com (3rd party, CampaignMonitor) 


e coupons.huffpost.com (3rd party, Groupon) 
e huffpost.atlassian.net (3rd party, Atlassian) 
e huffpoststuff.com (3rd party, StackCommerce) 
e Subscribe.huffpost.com (3rd party, Epsilon) 


e Miscellaneous 
e * aolcdn.com 
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Volicon 

Volicloud 

Yahoo Operated WordPress blogs 
Files.molo.ch 

sg.auctions.yahoo.com (3rd party, GMarket) 


e Moloch Source Code 


Known unauthenticated endpoints such as parliament.json & eshealth.json 
www.molo.ch 

demo.molo.ch 

* molo.ch (production website) 

Ul based bugs on parliament 


e RYOT 


* ryotfilms.com (third party) 
* ryot.com (third party) 
* portal.ryot.com (third party) 


e *.spot.im 
e TechCrunch 


* crunchbase.com (3rd party, Crunchbase) 

* tc-appunite.herokuapp.com (3rd party, Heroku now closed) 
* parsely.com (3rd party, Parse.ly) 

* swiftype.com (3rd party, Swiftype now closed) 
* marketo.com (3rd party, Marketo) 

* urbanairship.com (3rd party, Urban Airship) 

* sailthru.com (3rd party, Sailthru) 

* spot.im (3rd party, Spot.IM) 

* tcdisrupt.com (3rd party, App) 

* bit.ly (3rd party, Bit.ly) 

* thomsonreuters.com (3rd party, Open Calais) 
* tinypass.com (3rd party, Piano/Tinypass) 


e TW eCommerce: Auctions 


* yahoo.com.tw 

ismarus-ap-94600.tw.juiker.net 

* tw.juiker.net 
auth.tw.juiker.net/oauth2/getUserTokenByTurnkey 
* straas.net 

iOS: JuikerIMSDK.framework, StraaS-iOS-SDK 
Android: io.straas.android.sdk 
ecfme.famiport.com.tw (Third Party) 


e TW eCommerce: Shopping 


* yahoo.com.tw 
iOS: TPDirect.framework 
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e * yahoo.com.tw 


Uplynk (VDMS) 

Verizon 

e MapQuest 
e MapQuest Android 
e MapQuestFireOS 
e MapQuestiOS 
e * mapquest.com 


e MovilData 

e Skyward 

e XO 

e * verizonwireless.com 
e * verizon.com 

e * verizon.net 

e *.yzw.com 

e * myvzw.com 

e * verizonbusiness.com 


vzbuilders 
e smart.vzbuilders.com 
e Some other vzbuilders sub domains 


Yahoo 7 
e au.yahoo.com 
e Nz.yahoo.com 


Yahoo Answers 

Yahoo Cricket 

« Yahoo Cricket Android 
e Yahoo Cricket iOS 


e Out of Scope: cricket.yahoo.net (third party) 
e Out of Scope: *.sportz.io (third party) 


Yahoo Japan 
e * yahoo-net.jp 


Yahoo Mail 


e mail.yahoo.com/cal/ (this is the same as calendar.yahoo.com and should be reported as Yahoo 


Calendar) 


Yahoo Messenger 

e Yahoo Messenger Android 
e Yahoo Messenger iOS 

e Yahoo Messanger (web) 
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Ld 


e Store Editor 

e YSB Developer Network 

e Commerce Central 

e Localworks 

e Luminate 

e Wizards 

e All other YSB related products/services/sites 
e https://s.yimg.com/pq/* 

e * webhosting.yahoo.com 


e Yahoo Sports: Editorial 
e shop.yahoosports.com (Third party) 


e Yahoo Sports: Fantasy Games 
e * sendbird.com (Third Party, SendBird) 


e Yahoo Sports: Rivals 
e * rivalsfanstore.com (3rd party, Fanatics Inc.) 
e * rivalscamps.com (3rd party) 
e * rivalscampseries.com (3rd party) 
e Rivals iOS 


e *.yahoo.com.tw 
e * yahoo.net 


SSP Advertising Products 


These products with their listed domains are NOT eligible for bounty or reputation for the time being: 


e CRS - crs-prd.aws.oath.cloud 
e Deals Ul - deals.o2.verizonmedia.com 
e O2 - adaptv.advertising.com 
e OneAdServer - console.oneadserver.aol.com 
e OneAPI - oneapi.aol.com 
e OneCreative - onecreative.aol.com 
Other e Onelnsights - alephd.com 
« OneMobile - onemobile.aol.com 
e OneReporting - vidible.tv 
e OneVideo - onevideo.aol.com 
e SSP - ssp.verizonmedia.com 
e SSP External API - ext.api.ssp.aol.com 
e Store - store.vzbuilders.com, sales.oath.com 


Note: Any domains for these products that is not listed here is ALSO not eligible for bounty or 
reputation. 
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TA Ru Wu Wl Ao | wy 


Average time to first response 


5 days 


Average time to triage 


17 days 


Average time to bounty 


96% of reports 


Meet response standards 


Based on last 90 days 


Program Statistics 
Updated Daily 


>$21,520,000 


Total bounties paid 


$500 


Average bounty 


$6,500 - $40,000 


Top bounty range 


$170,000 


Bounties paid in the last 90 days 


468 


Reports received in the last 90 days 


2 days ago 


Last report resolved 


10594 


Reports resolved 
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Top hackers 


mayo Mayonaise 


Reputation:14681 


MY dawayg 
X. Reputation:14056 


nnwakelam 
Reputation:12656 


todayisnew 
Reputation:8786 


meals 
Reputation:7135 
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